SOX Out, GRC In

Sarbanes-Oxley compliance, the single greatest driver behind IT security spending for the last five years or so, is finally cooling down.

According to a new study by AMR Research, SOX spending will grow only 2 percent in 2008, to about $6.2 billion. SOX, like other regulatory compliance projects, is becoming "a necessary "to-do," but not a top-of-mind initiative," the research firm says.

Instead of focusing on individual compliance initiatives, companies are now looking to expand the scope of their IT security programs to include risk management and a wide variety of compliance efforts, AMR says. Spending on IT governance, risk, and compliance (GRC) programs will increase 7.4 percent in the coming year to reach $32 billion, AMR predicts.

"In this economic climate, companies can no longer focus solely on reactive spending to meet each new regulation," explains John Hagerty, vice president and research fellow at AMR Research. "As executives are becoming aware of how different business and IT risks affect their bottom line, their spending focus is shifting toward approaching risk strategically, not just tactically."

For the last few years, GRC services numbers have been decreasing as companies streamlined compliance activities, AMR says. But as risk rises in importance, companies report they need guidance on how to frame the risk discussion in a business context. Thus, GRC initiatives remain an intensely human effort. Two thirds of GRC budgets -- approximately $21.5B -- are earmarked for people-related expenses (both internal staff and outsourced services) in 2008, the research firm says.

— Tim Wilson, Site Editor, Dark Reading